Bug 667071
| Summary: | enforcing MLS: 'rpm -qa' displays nothing in single user mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-63.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 11:57:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2011-01-04 10:09:45 UTC
As soon as I switch from enforcing to permissive mode, both rpm and yum work as expected. Ok, I am seeing on my MLS machine in single mode:
type=1400 audit(1294144300.918:16635): avc: denied { read } for pid=3288 comm="ifconfig" name="console" dev=devtmpfs ino=5036 scontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=1400 audit(1294144194.133:16634): avc: denied { read } for pid=3262 comm="rpm" name="console" dev=devtmpfs ino=5036 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Does audit2why say this is a constraint violation? There is nothing about constraint violation if run audit2allow or audit2why on the machine.
Output of audit2allow:
#============= rpm_t ==============
allow rpm_t console_device_t:chr_file read;
Output of audit2why:
type=1400 audit(1294152588.831:540): avc: denied { read } for pid=998 comm="rpm" name="console" dev=devtmpfs ino=4998 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Yes, there is "just" missing TE rule for that in MLS. Strange I see
allow rpm_t console_device_t : chr_file { ioctl write getattr lock append open } ;
In F15, but do not see this in the te file.
Well, the same for me. I am also seeing it on MLS machine
#sesearch -AC -s rpm_t -t console_device_t
Found 1 semantic av rules:
allow rpm_t console_device_t : chr_file { ioctl write getattr lock append
open } ;
and the same for ifconfig.
I'm going to investigate it.
Oops,
... chr_file { ioctl write getattr lock append open } ;
There is no "read" permission.
And
logging_send_syslog_msg() has
# If syslog is down, the glibc syslog() function
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
Other reproducers: # useradd --help # usermod --help # userdel --help # groupadd --help # groupmod --help # groupdel --help Change useradd and groupadd to term_use_all_terms Fixed in selinux-policy-3.7.19-63.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |